Adds Machine Secret Key rotate endpoint (v2)

machine/client.go

@@ -64,6 +64,24 @@ func (c *Client) GetSecretKey(ctx context.Context, id string) (*clerk.MachineSec
 	return secretKey, err
 }
 
+type RotateSecretKeyParams struct {
+	clerk.APIParams
+	PreviousTokenTTL int64 `json:"previous_token_ttl"`
+}
+
+// RotateSecretKey rotates the secret key for a machine.
+func (c *Client) RotateSecretKey(ctx context.Context, machineID string, params *RotateSecretKeyParams) (*clerk.MachineSecretKey, error) {
+	path, err := clerk.JoinPath(path, machineID, "secret_key", "rotate")
+	if err != nil {
+		return nil, err
+	}
+	req := clerk.NewAPIRequest(http.MethodPost, path)
+	req.SetParams(params)
+	secretKey := &clerk.MachineSecretKey{}
+	err = c.Backend.Call(ctx, req, secretKey)
+	return secretKey, err
+}
+
 type UpdateParams struct {
 	clerk.APIParams
 	Name            *string `json:"name,omitempty"`

machine/client_test.go

@@ -114,6 +114,57 @@ func TestMachineClientGetSecretKey(t *testing.T) {
 	require.Equal(t, secret, secretKey.Secret)
 }
 
+func TestMachineClientRotateSecretKey(t *testing.T) {
+	t.Parallel()
+	id := "machine_123"
+	newSecret := "sk_test_NEW123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+	previousTokenTTL := int64(7200)
+	config := &clerk.ClientConfig{}
+	config.HTTPClient = &http.Client{
+		Transport: &clerktest.RoundTripper{
+			T:      t,
+			In:     json.RawMessage(fmt.Sprintf(`{"previous_token_ttl":%d}`, previousTokenTTL)),
+			Out:    json.RawMessage(fmt.Sprintf(`{"object":"machine_secret_key","secret":"%s"}`, newSecret)),
+			Method: http.MethodPost,
+			Path:   "/v1/machines/" + id + "/secret_key/rotate",
+		},
+	}
+	client := NewClient(config)
+	secretKey, err := client.RotateSecretKey(context.Background(), id, &RotateSecretKeyParams{
+		PreviousTokenTTL: previousTokenTTL,
+	})
+	require.NoError(t, err)
+	require.Equal(t, "machine_secret_key", secretKey.Object)
+	require.Equal(t, newSecret, secretKey.Secret)
+}
+
+func TestMachineClientRotateSecretKey_Error(t *testing.T) {
+	t.Parallel()
+	config := &clerk.ClientConfig{}
+	config.HTTPClient = &http.Client{
+		Transport: &clerktest.RoundTripper{
+			T:      t,
+			Status: http.StatusBadRequest,
+			Out: json.RawMessage(`{
+  "errors":[{
+		"code":"rotate-secret-key-error-code"
+	}],
+	"clerk_trace_id":"rotate-secret-key-trace-id"
+}`),
+		},
+	}
+	client := NewClient(config)
+	_, err := client.RotateSecretKey(context.Background(), "machine_123", &RotateSecretKeyParams{
+		PreviousTokenTTL: 3600,
+	})
+	require.Error(t, err)
+	apiErr, ok := err.(*clerk.APIErrorResponse)
+	require.True(t, ok)
+	require.Equal(t, "rotate-secret-key-trace-id", apiErr.TraceID)
+	require.Equal(t, 1, len(apiErr.Errors))
+	require.Equal(t, "rotate-secret-key-error-code", apiErr.Errors[0].Code)
+}
+
 func TestMachineClientUpdate(t *testing.T) {
 	t.Parallel()
 	id := "machine_123"